Creating a DMZ in OpenVPN Access Server

An OpenVPN Access Server demilitarized zone (DMZ) uses network address translation (NAT) to send requests coming in on a private or public IP address on the Access Server to a connected VPN client. The idea here is to provide an external static IP for a service running on a VPN client in an internal network. Requests made on an IP address that the Access Server manages can be forwarded to a service running on the VPN client.

This documentation describes the two ways in which you can configure a DMZ in the Access Server - via the web interface or via the command line.

Note: On Amazon AWS you will have to adjust the security groups to let traffic pass through. Also on Amazon AWS you will have to use the local private IP address that is on the EC2 instance itself instead of using its public IP address.

Create a DMZ with the Admin Web UI

In this example we forward traffic on TCP port 80 on public IP on the Access Server to a particular VPN user.

  1. Sign in to your Access Server Admin Web UI.
  2. Click User Management  > User Permissions.
  3. Locate the user you want to configure DMZ for and click the icon More Settings.
  4. Under DMZ Settings, click Yes for Configure DMZ IP address.
  5. Enter the IP address and TCP or UDP port. For example:
  6. Click Save Settings and Update Running Server.

For more information about the User Permissions page, refer to the Admin Web UI User Manual.

Create a DMZ with the Command Line Interface

Like the example above we will forward TCP traffic on port 80 on public IP to a particular VPN user.

The config key dmz_ip.n in the user properties database defines which IP on the VPN server side must forward connections to this particular VPN user. The n indicates that it is iterable, meaning you can specify multiple such records for a user. It starts with 0 and counts up from there. The key value is expected in the format of ip:protocol/port. In the examples below this will become clear. It is possible to specify only IP address to reroute all incoming requests, but you should use this with caution, as it can block access to your Access Server. All commands must be run as root user in the /usr/local/openvpn_as/scripts/ directory.

Forward incoming port TCP 80 on to the user:

./sacli --user <USER> --key "dmz_ip.0" --value "" UserPropPut
./sacli start

The DMZ rule is now operational for TCP port 80. If there is an HTTP server running on that VPN client, you should now be able to access in your web browser, even outside of the VPN systems.

To remove such a rule delete its relevant key:

./sacli --user <USER> --key "dmz_ip.0" ConfigDel
./sacli start

Implementation Notes

  • Both the source and destination IP addresses are routed with NAT. The destination address of incoming packets is translated to the VPN IP address of the client. The source address is translated to the VPN gateway IP address of the first OpenVPN daemon of the Access Server. This means assuming a default configuration of for the VPN subnet, the packets will have source IP
  • The DMZ IP address can be any IP address that is on a network interface on the Access Server. When you specify a DMZ IP address with a specific protocol/port defined, only the traffic that is directed to that protocol/port is routed through. This means that if the DMZ IP address is also bound to an interface on the server, that interface can still handle other traffic.
  • If you specify an IP address only for the DMZ value, it will redirect all ports to the VPN client. Be aware that if you do this on the IP that is used by the Access Server itself for its web and VPN tunnel daemons you would effectively be cutting yourself off from access to your Access Server. You should only do this on secondary IP addresses, not the primary one.
  • Clients connected to the VPN with reroute_gw defined can access a DMZ IP address through the tunnel.
  • A DMZ IP address works with a VPN client that uses either a static or dynamic VPN IP address.
  • Access Server ensures that clients don’t declare conflicting DMZ IP addresses.
  • A DMZ on Access Server makes heavy use of the iptables SNAT, DNAT, and MARK modules.
  • A DMZ on Access Server is subject to the limitations of NAT, and won’t work with protocols that have problems with NAT like SIP.